sponsor logo

First Flight #4


First Flight #4: Boss Bridge

First Flight #4 has you delving into Boss Bridge, a simple protocol allowing users to move tokens from Layer 1 to Layer 2.

Start Date Nov 9th, 2023 (12:00)
End Date Nov 15th, 2023 (12:00)
Time Left 0d/0h/0m


Contest Details

  • Total Prize Pool:
    • High: 100XP
    • Medium: 20XP
    • Low: 2XP
  • Starts - November 09, 2023
  • Ends - November 15, 2023


  • nSLOC: 99
  • Complexity Score: 106

Boss Bridge

This project presents a simple bridge mechanism to move our ERC20 token from L1 to an L2 we're building. The L2 part of the bridge is still under construction, so we don't include it here.

In a nutshell, the bridge allows users to deposit tokens, which are held into a secure vault on L1. Successful deposits trigger an event that our off-chain mechanism picks up, parses it and mints the corresponding tokens on L2.

To ensure user safety, this first version of the bridge has a few security mechanisms in place:

  • The owner of the bridge can pause operations in emergency situations.
  • Because deposits are permissionless, there's an strict limit of tokens that can be deposited.
  • Withdrawals must be approved by a bridge operator.

We plan on launching L1BossBridge on both Ethereum Mainnet and ZKSync.

Token Compatibility

For the moment, assume only the L1Token.sol or copies of it will be used as tokens for the bridge. This means all other ERC20s and their weirdness is considered out-of-scope.

On withdrawals

The bridge operator is in charge of signing withdrawal requests submitted by users. These will be submitted on the L2 component of the bridge, not included here. Our service will validate the payloads submitted by users, checking that the account submitting the withdrawal has first originated a successful deposit in the L1 part of the bridge.

Getting Started


  • git
    • You'll know you did it right if you can run git --version and you see a response like git version x.x.x
  • foundry
    • You'll know you did it right if you can run forge --version and you see a response like forge 0.2.0 (816e00b 2023-03-16T00:05:26.396218Z)


git clone https://github.com/Cyfrin/2023-11-Boss-Bridge.git
cd 2023-11-Boss-Bridge


git clone https://github.com/Cyfrin/2023-11-Boss-Bridge.git
cd 2023-11-Boss-Bridge
forge install
forge build



forge test

Test Coverage

forge coverage

and for coverage based testing:

forge coverage --report debug

Static Analysis


make slither


make aderyn

Audit Scope Details

  • Commit Hash: 07af21653ab3e8a8362bf5f63eb058047f562375
  • In scope
#-- L1BossBridge.sol
#-- L1Token.sol
#-- L1Vault.sol
#-- TokenFactory.sol
  • Solc Version: 0.8.20
  • Chain(s) to deploy contracts to:
    • Ethereum Mainnet:
      • L1BossBridge.sol
      • L1Token.sol
      • L1Vault.sol
      • TokenFactory.sol
    • ZKSync Era:
      • TokenFactory.sol
    • Tokens:
      • L1Token.sol (And copies, with different names & initial supplies)


  • Bridge Owner: A centralized bridge owner who can:
    • pause/unpause the bridge in the event of an emergency
    • set Signers (see below)
  • Signer: Users who can "send" a token from L2 -> L1.
  • Vault: The contract owned by the bridge that holds the tokens.
  • Users: Users mainly only call depositTokensToL2, when they want to send tokens from L1 -> L2.

Known Issues

  • We are aware the bridge is centralized and owned by a single user, aka it is centralized.
  • We are missing some zero address checks/input validation intentionally to save gas.
  • We have magic numbers defined as literals that should be constants.
  • Assume the deployToken will always correctly have an L1Token.sol copy, and not some weird erc20